Repeated login (after session invalidation) with different credentials results in incorrect role set. LOGIN MODULES ARE BEING REUSED

Details

Description

Consider we have two users, "user" with role "user" and "manager" with role "manager" and two secured areas /user/* and /manager/, so only "user"'s can access pages with URL /user/ and only "manager"'s can access pages with URL /manager/*.

If we log in as "user", we can access only /user/* pages, "403 Forbidden" if we try to access /manager/* pages. It is OK.

Now, if we clean the session (request.getSession().invalidate()), we will be logged out, so we cannot access nor /user/, nor /manager/ pages - server redirects to the login page. It is OK.

But if we login second time, as a "manager", we can access both page sets - /user/* and /manager/*! It means that authenticated user owns both roles "user" and "manager", but this is impossible combination!